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Method and Apparatus for Elliptic Curve Scalar Multiplication 



This application claims the benefit of U.S. Provisional Application 60/343,225, filed 
December 31, 2001, the contents of which are incorporated herein by reference. 

5 

FIELD OF THE INVENTION 

The present invention relates to cryptography, and more particularly to the computation 
of elliptic curve scalar multipUcation. 



10 BACKGROUND OF THE INVENTION 

Cryptogr^y is commonly used to provide data security over public networks, such as 

E^^ the bitemet. Cryptographic protocols enable certain security goals to be achieved for various 
applications. A particularly efficient form of cryptography that is used in constramed devices is 
elliptic curve cryptography. Elliptic curve cryptography (ECC) is perforaied in a group of points 

IS on an elliptic curve. Such groups provide security at smaller bit sizes than alternative schemes. 

□ The main operation in elliptic curve cryptography is so-called scalar multiplication, that 

iT, is, computing an mteger multiple of a point on an elliptic curve. Increases in efficiency may be 
obtained by increasing the speed at which elliptic curve scalar nuihiplication is performed. 

n J Certain elliptic curves allow faster computation because of special structure within the elliptic 

20 curve group. The special structure in the group means that there are special relationships 
between group elements. These relationships allow some computations to be performed more 
efficiently than in the general case. 

One class of curves with special structure in the elliptic cunre groups is those that provide 
a complex multiplication operation. Typically these curves are the Koblitz curves, also known as 

25 anomalous binary curves. These curves have a defining equation + xy = + a^x^ + 1 , where 
a\ is either 0 or L The points in the elliptic curve group dejSned by such an equation are the 
points (x,y) that satisfy the equation, where x and;/ are elements of the finite field F^^ , along 
with a special point called the "point at infinity." The point at infinity operates as the zero 
element of the group. On a Koblitz curve, the Frobenius mapping r : {x, y) -> (x^ ♦ ) is 

30 efiSciently computable and satisfies a characteristic equation + 2 = /ir , where fi is -1 if a is 0 
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and ^ is I if a is 1 . The mapping t may be regarded as a complex number, namely the solution to 
the characteristic equation. Points on the curve may be multiplied by certain complex numbers 
that are written in terms of t, whereas in the usual case points may only be multiplied by 
integers. Multiplying a point by x corresponds to applying the Frobenius mapping to the point. In 

5 a technical report entitled Improved Algorithms for Arithmetic on Anomalous Binary Curves by 
Jerome Solinas, 1999, available at httpV/www.cacruwaterlooxa, the properties of the Frobenius 
mapping and its use to accelerate computations are analyzed in detail. 

By applying the relationship r ^ + 2 = //r , the degree of a polynomial in t can be reduced. 
Thus, any polynomial in t can be represented in the form A + Bz after appropriate reduction, 
10 The existence of complex multiplication on a curve means that scalars may be operated 

h on modulo a truncator, 7, which operates as an identity element under scalar multiplication- It 

can be shown that the value T works as a truncator. The truncator may also be 

03 f — 1 

m 

Li expressed in the form A + Br by using the relationship r ^ + 2 = to obtain integers a and b 
g such that T^a+bT. The conjugate of the truncator T is denoted by T . The product TT is 
y defined as the norm of is denoted N(T) and can be calculated as N{T) = a ^ + juab + 2i^% an 
integer. 

u In order to compute an elliptic curve multiplication of a scalar A by a point P, Solinas 

teaches how to perform a modular reduction ofk. The truncator T is the modulus. This method 
requires finding a quotient q and a remainder r satisfying the equation k-gT-^-r where the 

20 remainder r is as small in norm as possible. The remamder r is the result of a modular reduction 

k 

ofk modulo L Solinas teaches a method of rounding off ^ and then solving for the remainder n 

k 

In this method, a quantity X is computed as A — . The quantity X is expressed in the form A + 

Bt by multiplying the numerator and denominator by the complex conjugate f of T, Thus 
k kf 

A = — = — . Then the quantity X is roimded using a special purpose roimding algorithm, 
T NiT) 

25 refened to as Routine 60. The rounding method operates on X based on a geometric construction 
that is particular to aridmietic using x. The rounded value of X is used as the quotient so that 
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the remainder r may be computed as r = A: - . The remainder r is the value of A; reduced 
modulo the truncator. 

It is recognized that for a truncator T, tihte quantity kP is equivalent to {k-qiyP for all q 
since TP is equal to the point at infinity, which operates as the zero element in the elliptic curve 
5 group. Certain choices of the quotient q will lead to scalars for which multiplication is faster than 
others. Accordingly, it is of interest to efficiently find a quotient q so that multiplication by k-qT 
is more efficient than multiplication by k. 

The algorithm that Solinas teaches for reducing a scalar modulo the truncator requires the 
special purpose rounding algorithm to be executed each time a scalar multiplication is required. 
1 0 It optimizes based on an average case analysis and therefore requires extensive computation for 
^ each scalar multiplication. This is particularly onerous in constrained devices with limited 
C3 computing power such as PDA's (Personal Digital Assistants), wireless devices, and the like. 

Solinas presents a more efficient method of performing the modular reduction. It obtains 
an element f that is congruent to k modulo T, but not necessarily of minimal norm. This 
\$i improvement focusses on the computation of X., Solinas teaches computing an s^proximation of 
the coefiEicients of X» then using these approximate coefficients in the special purpose rounding 
algorithm. However, this method still requires use of the special purpose rounding algorithm. 
Further, this method requires execution of the approximate division algoritfmi each time a scalar 

^ k 

n J multiplication is performed since the quantity ^ - ^ depends on the scalar k. 

20 

Accordingly, there is a need for a method of performing elliptic curve scalar 
multiplications &at obviates or mitigates at least some of the above disadvantages. 

SUMMARY OF THE INVENTION 
25 The applicants have recognized an altemate method of performing modular reduction that 

admits precomputation. The precomputation is enabled by approximating the inverse of the 
truncator T, which does not depend on the scalar. 

The applicants have also recognized that the representation of a scalar in a r-adic 
representation may be optimized for each scalar that is needed 
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The applicants have further recognized that a standard rounding algorithm may be used to 
perfotm reduction modulo the truncator. 

In general terms, there is provided a method of reducing a scalar modulo a truncator, by 
pre-computing an inverse of the truncator. Each scalar multiplication then utilizes flie pre- 
5 computed inverse to enable computation of the scalar multiplication without requiring a division 
by the truncator for each scalar multiplication. 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features of the preferred embodiments of the invention will become more 
1 0 apparent in the following detailed description in which reference is made to the appended 
1=^ drawings wherein: 

□ Figure 1 is a schematic rq)rcsentation of a cryptographic system. 

J4 Figure 2 is a flowchart showing a method performed by a correspondent of Figure 1 . 

W Figure 3 is a flowchart showing a method used in one step of the method in Figure 1. 

% Figure 4 is a flowchart showing a method of computing a digital signature using the 

method of Figure 2. 

Figure 5 is a flowchart of a method of verifying a digital signature using the method of 
Figure 2, 

I Figure 6 is a flowchart showing a method of generating a shared secret using the method 

20" of Figure 2. 

Figure 7 is a schematic representation of a cryptographic system using the method of 
Figure 2> 

Figure 8 is a flowchart of a further protocol. 
DESCRIPTION OF THE PREFERRED EMBODIMENTS 

25 Referring to Figure I, a cryptographic system is shown generaUy by the numeral 10. A 

pair of correspondents 12, 14 communicate over a network 16. Each correspondent has an 
arithmetic logic unit (ALU) 18, 20, and elliptic curve parameters. The ALU can be a general- 
purpose computer, with a cryptographic unit, which implements cryptographic protocols from 
instmctions provided by software. The software may be provided on a data earner or in 

30 dedicated hardware. The cryptographic unit implements Elliptic Curve Cryptography. Each 
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correspondent's elliptic cuive parameters comprise an elliptic ciuve equation 

-bxy^x^ a^x^ + 1 , where ai is either 0 or 1, a finite field, a long-term private key, a 
corresponding long-term public key, and a set of pre-computed parameters s, u r. The 
correspondents make an authentic copy of long-term public keys available throu^ a directory or 
5 a certificate. 

To implement a protocol, for example ECDSA (Elliptic Curve Digital Signature 
Algorithm), one ALU 18, 20 selects a number as its session or ephemeral private key. To 
compute the corresponding public key, it is necessary to compute kP. The ALU performs the 
steps shown in Figure 2 in order to compute kP and uses the set of precomputed parameters to 
10 compute more efficiently- 

Prior to the computation of kP^ the parameters t, u are obtained. These may be 
u computed at initialization or retrieved fix>m vahies provided with the software to implement the 
m selected protocols, 

yf The precomputed parameters relate to an approximation of the truM In the 



1 $ preferred embodiment, the truncator is T = • 



T-1 



' 1 

fy To approximate the inverse — of the truncator T, a significance parameter u and two 

pj integers s and ? are chosen so that —+ — -f approximates the inverse of the truncator T. 

2" 2" 

The values smit depend on the truncator T, and may be computed by first 
expressing the truncator in the form Tsa + br, where a and b are integers. The quantities a and 
20 b are determined by the truncator, and may be computed by successive applications of the 
relationship +2 = fir so that Tis represented as the sum of an integer, a, and an integer, b, 
multiplied by T. 

Then a quantity -1 = — 1— - may be ejcpressed as a polynomial by rationalizing the 
denominator. It is recognized that the element a + bju-br is a conjugate of r = a + i>T . It can 
25 also be verified that (a + bvXa + bfi - br) := +pab+ 2b\ttie norm of T.Defiimg c = a+bM 
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and e = -b,ihe com'ugate may be denoted as c + , where c and e are integers. Defining 

d = a +/ia6+26 , then means that — = — 7— > where c, d, and e are integers. 

T d 

The expression for — requires divisions, and so in general — and — will be real 
T d d 

numbers that cannot be computed to arbitrary accuracy. In order to compute efficiently, 
significance parameter u is chosen to determine the accuracy with which ^ will be represented. 
Using the notation that ]x[means an integer close to a real number x, the value s is taken 



to be J == 



d 



and the value mistaken to be t = 



f1 



y Once the parameters J and/ are preconH)Uted, an appropriate quotient^ may 

J.: for any chosen k simply by computing tiie formula q = + r . Once a value for the 

19= quotient q is obtained, a remaind^ r may be computed as A; - to obtain a value equivalent to 

sans 

k modulo T that admits to efficient computation. This is because q is approximately equal to — 

m and so qT is close to* and therefore ^-^r is close to 0, with its exact magnitude determined by 
die choice of the significance parameters, 

fij 

15 Reforing therefore to Figure 2, a method for computing a product kP is shown generally 

by the numeral 100. The correspondent 12 first obtains as indicated at 102, the pre-computed 
parameters. These are the significance parameter u, and the two coefficients s, t. Then, the 
correspondent 12 obtains (104) the scalar k and the point P for which it wants to compute kP. 

The coirespondent 12 computes (106) a quotient q by using the foimula q = ]^ ^ 

20 correspondent 12 computes (1 08) the value of k-qT in the form / + to obtain a remainder 
r equivalent to * modulo the truncator T. Then, the correspondent 12 computes (1 10) the quantity 
(/• + gr)Pby usmg a simultaneous e3q)onaitiation algorithm. Since die remaind©: r is 
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equivalent to k modulo tiie truncator T, the quantity (f + gr)? is equivaloit to k modulo T, and 
accordingly scalar multiplication by * is equivalent to scalar multiplication by (/ + grjP . 

Computing can be done efficiently by applying the Frobenius operator to P. The 
Frobenius operator can be implemented as a shift when using an ^propriate basis. As shown in 
5 Figure 3 generally by the numeral 300, to compute the multiple (f+gr)P,Si window width w is 
first established (302). Then, a table 350 of small multiples of P of the predeteimined width w is 
established (304). The scalars /and g are then examined (306) using windows of the 
predetermined width w. The multiples of P coiresponding to each window are retrieved (308) 
from flie table 350 . The table entry from the window corresponding to / is placed 3 10 in an 
1 0 , accumulator. The Frobenius operator is applied to the table entry from the window 

0 corresponding to g, and then added to the accumulator 312. The accumulator is doubled in 

m accordance with the width of the window 314, and then the next window is examined 316. The 
^1 process is repeated 3 18 until/and g have been processed. At the conclusion of diese repetitions, 
^ the multiple {f + gr)? corresponding to is provided 320. 

=5— 

15 It is recognized that it is not necessary to find ttie best quotient g, but merely a choice for 

p quotient q that yields an exponent equivalent to k modulo T that admits more efficient 

1 y computation of the scalar multipUcation. 

^3 The rounding function ]x[ can be the standard dechnal rounding fimction, or a floor 

function, or a ceiling fimction. Any fimction yielding an integer close to the real number will 
20 work. The accuracy of the rounding partially determines the accuracy of the approximation to the 
inverse of the truncator. The significance parameter u also determines the accuracy of the 
approximation to the inverse of the truncator. It is recognized that fho-e is a trade-off between 
determining the inverse of the truncator accurately, and achieving efficient computation. By 
reducing the accuracy of the rounding fimction and the significance parameter, the steps of the 
25 method are made more efficient. The cost of this efficiency in flie preliminary stages of the 
method is to the efficiency of the scalar multiplication. 

In another embodiment, the processor implemaits a signature generation method shown 
generally as numeral 400 in Figure 4. In the exemplary signature method, the signature 
generation requires Ae computation of a pair of signature components R = kP and s^^ae+k, 
30 where P is an elliptic curve generating pomt, Ar is a short term private key, a is a long term private 
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key, and 6 is a hash of a message. To perform the signature generation^ the signer computes 402 
the hash ^ of a message m. The signer generates 404 an ephemeral private key k. The signer 
computes 406 a first signature component R-kP, which requires computing a point multiple. 
Finally, the signer computes 408 a second signature component s^ae-^k. The metiiod 

S according to Figure 2 is used to compute the point multiple. 

In still another embodiment, the processor implements a signature verification method 
shown as numeral 500 in Figure 5, In the exemplary signature method, the verification requires 
the computation of the quantity sF-eQ^ where P and Q are elliptic curve points, 5 is a signature 
component, and e is a hash of a message. One or both of ttie elliptic curve multiplications sP 

10 and eQ is performed using the method shown in Figure 2. The verifier first obtains 502 a 

£5 message m and a signature (i?, s)^ which it wishes to verify as originating from a signer. The 
verifier has an authentic copy of the signer's public key. The verifier computes sP as indicated at 

03 504, using the method of Figure 2- Then the verifier computes eQ (506) using the method of 
Figure 2. Then the verifier computes 508 the quantity - eg and compares at 510 the result to 

V§' the signature component R. The method according to Figure 2 is used to compute the point 

Q nrnltiple. 

J" In a further embodiment, the processor implements a Diffie-Helhnan key exchange 

y3 protocol, shown generally as numeral 600 in Figure 6, In this protocol, the first correspondent 
m generates 602 a private key k. The first correspondent computes (604) a public key kP usmg the 
20 method of Figure 2. The first correspondait obtains at 606 a public key kP of the second 
correspondent The first conespondent then computes (608) the shared secret kzykkP as the 
scalar multiplication of the second correspondent's public key and the first correspondmt's 
private key using tihe method of Figure 2, The second correspondent can perfomi a similar 
computation of the shared secret key fi^om kP and k\ 
25 Each correspondent in such a protocol must generate a private key, then perform a point 

multiplication to obtain a public key which is sent to the other correspondent Then, each 
correspondent performs a point multiplication of his or her own private key with the other 
concspondmfs public key to obtain a shared secret key. Preferably, one or both of the point 
multiplications performed by the correspondents to compute their public keys is performed using 
30 the method according to Figure 2. More prefraably, one or both of the correspondents also uses 
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the method of Figure 2 to compute the point multiplication required to obtain the shared secret 
key. Still more preferably, both correspondents use the method of Figure 2 to compute each of 
the aforementioned point multiplications. 

In a yet further embodiment, the method according to Figure 2 is used as a component of 

5 a cryptogr^hic system to provide a point multiple to any cryptographic method, as shown in 
Figure 7. The cryptographic system 700 provides a cryptographic method 702. When the 
cryptographic method 702 requires a point multiplication mP, it provides w and P to a 
component 704 implementing the method of Figure 2, The component 704 computes mP and 
provides the result to the cryptographic method- The component 704 can be software instructions 
1 0 executable by the cryptogri^hic system 700, or a dedicated hardware component such as an 

H arithmetic logic unit. 

El in a still further embodiment, the method according to Figure 2 is used in flie Elliptic 

Curve MQV (Menezes, Qu, Vanstone) protocol, as shown is Figure 8. In this protocol, two 
n J correspondents Alice and Bob wish to share a secret key. It is assumed that the two 
1| correspondents have agreed on an elliptic curve and a generating point P of order q. Each 
l^^ correspondent has a respective long term private key a, b and a corresponding long t^ public 
h key YA=aP, Yb - bP. Each correspondent has an authentic copy of the other correspondent's 
long term public key, which may be obtained from a certificate or a dbectory or other known 

G methods. 

ilJ 

20 To perform the protocol, Alice selects an ephemeral private key x at random from the 

interval 1 to q-1 (802), Bob selects an ephemeral private key y at random from the interval 1 to 
q-l (804). Alice computes the ephemeral public key xP corresponding to the ephemeral private 
key X (806) by using the method of Figure 2. Similarly, Bob computes his ephemeral public key 
yP(808). Alice sends xPto Bob (810) and Bob sends yP to Alice (812). After Alice receives 

25 Bob's ephemeral public key, she computes 5^ = (x -h art{R^ ))modq (814). Then Alice 

computes the shared secret K^s^ {R^ + fr{R^ ) (818), After Bob receives Alice's ephemeral 
public key xP, he computes 5^ = (y + b^{R^ ))mod q (816). Then Bob computes 
K = Sg{R^ + M^A^A ) (820). When computing Ra and Rb, it is recogexized that either or both of 
the conrespondents may use the method of Figure 2. 
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Altiiough the invention has been described with reference to certain specific 
embodiments, various modifications thereof will be ^parent to those skilled in the art without 
departing from the spirit and scope of the invention as outlined in the claims upended hereto. 

5 It is recognized fliat the method of Figure 2 may be qjplied widely and in many different 

protocols and ^plications. One ftirdier example is that the method of Figure 2 may be applied to 
any of the simultaneous multiplication methods, as exemplified in Figure 3. 
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